A Theory on Information Security

Total Page:16

File Type:pdf, Size:1020Kb

Load more

Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

A Theory on Information Security

Craig A. Horne

Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected]

Atif Ahmad

Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected]

Sean B. Maynard

Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected]

Abstract

This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research.

Keywords

Information security, resources, controls, threats, theory development.

1
Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

1 INTRODUCTION

Despite the concept of information security being very well established, the reasons and motivations behind it are imperfectly understood. This paper seeks to explain how and why the phenomena that comprise the concepts of information security occur. The emphasis for this paper is to explain the information security concepts and relationships between them in order to alter our understanding of why we protect information.

This proposed theory on information security simply states that the motivation behind all attempts by an organisation to secure information against threats is to create resources that can later improve organisational performance. Information will degrade over time without adequate controls implemented for its protection. In terms of the taxonomy of information systems theories presented by Gregor (2006), this manuscript provides a (Type 2) high-level theory for explanation, describing how and why the phenomenon of information security occurs.

The theory on information security originates from the area of information systems, built entirely from concepts that relate to information and the breadth of systems that it can reside on. It applies to different levels, including strategies to protect information used by individuals, groups, organisations and also protects information shared between organisations. The results are that, depending on the information affected, degradation over time may reduce the usefulness of the resource and thus lead to the potential erosion of competitive advantage or organisational success.

The paper proceeds in three major sections, with the major headings and sections structure adapted from Rivard (2014). In the next section, we introduce information security, discuss why a theory on information security is needed and carefully examine issues with existing theory. Secondly, we explain the theory on information security. Thirdly, we examine the implications for the development of this theory. Finally, we briefly draw conclusions, consider limitations and offer proposals for future research to improve our theoretical understanding of information security.

2 WHAT IS INFORMATION SECURITY?

The following section begins with a narrative describing why a new theory on information security is needed. This description of what motivates the study is based on an exploration of the theoretical issues in relevant literature. The result is a set of conditions that this new theoretical development then meets.

2.1 Motivating the Study

This paper is broadly motivated by calls for ‘good theory’ within the domain of information systems

(Webster and Watson 2002; Zmud 1998; Zmud et al. 2001). The current paucity of good quality theories in the information systems domain leads to calls for development of our ‘own’ theory (Markus and Saunders 2007; Weber 2003; Weber 2012). Importantly, there have been calls for bolder and more original information systems explanatory theory (Grover et al. 2008). The development of new ideas and theories is scarce yet essential (Markus and Saunders 2007; Rivard 2014). Therefore, to

begin with, as Weber (2003, pp. iii) states, “choosing the phenomena we wish to explain or predict — is the most important decision we make as a researcher”.

More specifically, this paper is motivated by an apparent gap in the literature where a theory on information security is not apparent. A search of the academic literature, as described in the next section, does not reveal any literature that purports to offer a theory on information security. This search of overlooked areas is a form of neglect-spotting (Sandberg and Alvesson 2011).

Stronger theory can be produced from linking theories of diverse types and academics have been urged to consider combining other types of theory with their own (Gregor 2006). Towards that, using this theory on information security as one that underpins a theoretical perspective on information security strategy in organisations could prove useful (Horne et al. 2015).

There are theories that relate to information security. For example, the Theory of Information Warfare presents a model of information warfare in terms of four main elements: information resources, players, offensive operations, and defensive operations (Denning 1999). The Theory of

Protection Motivation predicts users’ intentions to protect themselves after receiving fear-arousing

recommendations (Rogers 1975). There are no theories however where the locus of knowledge is in information security alone.

2
Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

This gap however is not because information security is uninteresting. Almost every organisation requires information to function and disruption to information from a security breach can often lead to disruption of an organisation’s operations (Cavusoglu et al. 2004). Therefore filling this gap will make a valuable contribution to the body of knowledge.

2.2 Relevant Literature

A thematic study of the information systems literature is presented, in order to develop a perspective on information security and its interactions. The contextual setting is described before information security itself is examined. With this understanding, a theory on information security can then be posited based on commonly-accepted philosophy.

2.2.1 Context

The theories or knowledge within any discipline are explained based on questions grouped within four classes which, in descending order, are 1. domain, 2. ontology, 3. epistemology and 4. socio-political (Gregor 2006). This section explores the information security concept within the context of these four classes of questions.

.

Domain of Information Systems
Information systems has been defined as a collective term that refers to a number of areas of application, including enterprise integration, natural language translation, geographic information systems, legal information systems, and biological information systems (Guarino 1998). Separately, a core set of phenomena that defines the information systems field has been defined as including information technology (IT) capabilities, the IT artefact, IT practices, usage and impact (Benbasat and Zmud 2003). At the broadest level, the domain of information systems has been defined and explained as a system composed of people and computers that processes or interprets information, which is the view adopted throughout the rest of this paper (D'Atri et al. 2008).

.

Ontological Approach
Theory is understood within information systems as being broad in nature, to encompass frameworks, models, or the body of knowledge (Gregor 2006). The ontological character of theory types has been articulated as having five categorisations: analysis, explanation, prediction, explanation and prediction, and design and action (Gregor 2006). These categorisations provide researchers with a language to describe the various components of theory.

.

Epistemological Approach
To explore how theory can be constructed and what research methods can be used, we note that discussion in this area often contrasts the positivist and interpretivist views, or the quantitative and qualitative views (Gregor 2006). As explained later in Section 3.2 - Theory Type, the type of theory expounded in this paper is explanatory in nature, and theories of this nature are often associated with research in the interpretivist paradigm (Gregor 2006).

.

Socio-political Approach
Exploring where theory has been developed to date, we find that there have been a surprisingly low number of theories, (i.e. fewer than half a dozen) that, when developed, originated solely from the area of information systems (Markus and Saunders 2007). Other theories have originating areas that include both information systems and a reference discipline, whilst the remainder originate solely from another discipline (Gregor 2006).

Information security is a phenomenon within the information systems domain because it involves people protecting information that resides on computers, which are all common elements consistent with information systems. From an information systems viewpoint, information security is concerned with protecting information (Siponen and Oinas-Kukkonen 2007).

2.2.2 Defining Information Security

This section documents the definition and goal for each of computer security, information security and cyber security. Computer security, also known as information and communication technology (ICT) security, is the security of the computers that process and store information (Von Solms and Van Niekerk 2013). The goal of computer security is the confidentiality, integrity, availability, nonrepudiation, accountability, authenticity, and reliability of information resources (Von Solms and Van Niekerk 2013).

3
Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

Information security used to be purely technical, however has evolved over time to keep pace with changes to computers and networks (Von Solms and Van Niekerk 2013). The goal of information security involves preserving the confidentiality, integrity and availability of business information (McCumber 1991; Posthumus and von Solms 2004). As well, the goal of information security is to safeguard business continuity and reduce business impairment by constraining the effect of security incidents (Von Solms 1998). In another contribution the goal of information security was stated to be confidentiality, integrity, availability and non-repudiation of information (Siponen and OinasKukkonen 2007).

Cyber security is different to information security (Von Solms and Van Niekerk 2013). Although they are very different, the term cyber security seems to be used interchangeably with the term information security in academic literature (Von Solms and Van Niekerk 2013). Cyber security transcends the boundaries of information security to include the defence of information and also people (Von Solms and Van Niekerk 2013). The goal and general security objectives of cyber security are the availability,

integrity and confidentiality of an organisation’s assets including networks, infrastructure, information

and personnel (Von Solms and Van Niekerk 2013). Examining the above discourse, we can see that there are three different definitions for computer security, information security and cyber security but that their goals seem to be roughly similar, in that they are internally-focussed and revolve around confidentiality, integrity, and availability. This homogeneity of goals is incongruous given the disparity in definitions and the following section will provide an improved goal for information security.

3 A THEORY ON INFORMATION SECURITY

A theory can be defined as “a statement of relations among concepts within a boundary set of

assumptions and constraints” (Bacharach 1989, pp. 496). We argue that information security needs its own distinct goal, not just to copy the goal of computer security, and then deconstruct the proposed theory on information security into its various elements. This section describes the conceptual elements of the proposed theory, the relationships between the concepts, and proposed use of the theory.

3.1 Theory Overview

Information security is a conscious or subconscious process in which people and organisations attempt to create sustainably-viable resources, from information. They do so by applying suitable controls to protect information from threats, according to the goals for the use of that information. This then results in sustainable resources. Information security focusses on what protection is afforded to information and what use that protected information can then offer organisations.

3.2 Theory Type

A taxonomy of theory types articulates five categorisations: analysis, explanation, prediction, explanation and prediction, and design and action (Gregor 2006). This theory embodies the second

type: a theory which provides “an explanation of how, why, and when things happened” (Gregor

2006, pp. 619). To clarify, this paper does not describe and categorise themes within information security, as this alone is not theory (Bacharach 1989; Rivard 2014). Rather, this paper distils complex concepts in information security and then offers a new explanation of what the motivations behind it are, using clear language.

Theories for explanation are described as an ideal type of theoretical contribution (Rivard 2014). Pure theory papers with explanations of theoretical mechanisms are welcomed as essays with highly valued characteristics (Markus and Saunders 2007). Other researchers have posited theories which are explanatory in nature without testable propositions (Orlikowski and Robey 1991). The writing of a paper where the end product is purely the advancement of a new theory via a detailed explanation is perfectly acceptable (Walsham 1995).

Construct validity can be said to have been achieved when, amongst other principles, the interlocking system of laws which constitute a theory (called a nomological network) are made clear, the theoretical constructs are observable, and the constructs in the nomological net have been elaborated on (Cronbach and Meehl 1955). It is understood that in the early history of a nomological net, as described in this paper, the network will be limited and have few connections.

4
Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

3.3 Assumptions

Clarifying the assumptions of information security is important otherwise there is a risk of inappropriate use of the construct. This would then adversely affect construct validity and potentially the cumulative research tradition (Roberts et al. 2012).

Firstly, information security depends on a completed information classification assessment. This

identifies what information is owned by the organisation and therefore what information needs to be protected. It also identifies what bits of information are more important than others. Without this assessment of information that is required to be protected, there is no way of clearly identifying which controls are most appropriate to deploy.

Secondly, an organisation’s information security depends on the security budget. If the security budget

is not large enough to procure the minimum number of controls necessary to protect the information identified in the classification assessment, then the integrity of the information is threatened.

Finally, information security depends on an organisation’s abilit y to match controls with threats.

Inappropriate selection of controls can lead to either wasteful spending on unnecessary controls or conversely, inadequate protection of information which threatens its ability to be sustainably used.

3.4 Structural Components

There are various taxonomies of theory structure with one example describing the parts as being constructs, associations, states, events, and the whole theory as having importance, novelty, parsimony, level and falsifiability (Weber 2012). The structure used in this paper however is based on the “structural components of theory” (Gregor 2006, pp. 620). It includes means of representation, the constructs which together form the nomological net, the relationships between the constructs and the scope. Care is also taken to explain why some theory components were not applicable, such as causal explanations, testable propositions and prescriptive statements.

3.4.1 Means of Representation

This theory on information security must be represented physically (Gregor 2006). Figure 1 below shows the four constructs included in this theory on information security and the three relationships between the constructs.

Figure 1: Schematic of Theory on Information Security

3.4.2 Constructs

The nomological network is comprised of four main constructs: information, controls, threats and resources. The following section describes each in turn and ascribes meaning to each. Care is also taken to identify whether the construct is observable, because a necessary condition for a construct to be scientifically admissible is that it be part of a nomological net of observables (Cronbach and Meehl 1955). The reason for this is so that we can then apply the famous Verification Principle, which argues that only statements which are provable by observation can convey factual information.

5
Australasian Conference on Information Systems 2016, Wollongong, Australia
Horne et al.

A Theory on Information Security

.

Information
Information is seen as amorphous and can be printed on paper, stored on computers, sent by post or electronically, shown on videos and articulated in a discussion (Von Solms and Van Niekerk 2013). As well as being stored on physical media such as paper and digital media such as computers, information can also reside on cognitive media, i.e. people’s minds (Ahmad et al. 2005). Information can also have various levels of sensitivity, is difficult to control which sometimes results in leakage, and is intangible in nature (Ahmad et al. 2005). Information however is not data, with the distinction being that data are raw facts and information is processed data that is meaningful (McKinney Jr and Yoos 2010). It is interesting to note that information hosted in the cloud brings its own set of challenges including (1) long-term viability, where information restoration becomes doubtful should the cloud vendor become bankrupt, and (2) information availability, where cloud vendors may not restore to a different environment should the information become unavailable (Catteddu 2010).

Information has some attributes including sensitivity and level of analysis. Non-sensitive information can be unclassified or if sensitive, classified as PROTECTED, CONFIDENTIAL, SECRET or TOP SECRET. This classification is then used as a basis for allocating access rights to organisational staff (Ahmad et al. 2014). Information is created and used at all levels of analysis within an organisation at varying sensitivities and Table 1 below provides examples of each:

Level of Analysis Individual
Non-sensitive Information Desk phone number Department name
Sensitive Information Passwords

  • Group
  • Customer sales list

  • Trade secrets
  • Organisational

Inter-organisational
Website URL

  • Purchase order number
  • Sales contract pricing

Table 1. Examples of Organisational Information and Level of Analysis

.

Controls
Organisational security controls (or countermeasures) are defined as an appropriate mix of physical, technical or operational security controls. The goal of controls is to mitigate the risks to information (Posthumus and von Solms 2004). Controls are used to protect information by reducing the risk posed by exposures or vulnerabilities arising from threats (Von Solms and Van Niekerk 2013). A strong set of protective controls can provide an organisation with an effective defence capability and an organisation’s capabilities provide the best defence against the existing array of competitive forces (Porter 1980).

Controls stipulated by standards are intended to prevent and detect attacks from threats, primarily through the use of technical, formal, and informal controls. Technical controls are the computer-based countermeasures. Formal controls are the policies, procedures, and rules that direct staff. Informal controls refer to the development of a security culture and the provisioning of education, training and awareness programs (Beebe and Rao 2010).

.

Threats
There are many threats to the integrity, confidentiality, and availability of organisational information along with many countermeasures (Workman et al. 2008). Threats to information systems security include unauthorised access, changing of information, and the destruction of protective infrastructure that helps preserve the confidentiality, integrity, and availability of the information (Workman et al. 2008). Various threats persistently target exposures or vulnerabilities and ultimately have a adverse impact on information (Beebe and Rao 2010; Von Solms and Van Niekerk 2013).

.

Resources

Resources have been defined as “inputs into the production process- they are the basic unit of analysis. The individual resources of the firm include items of capital equipment, skills of employees,

Recommended publications
  • Data and Database Security and Controls

    Data and Database Security and Controls

    1 Handbook of Information Security Management, Auerbach Publishers, 1993, pages 481-499. DATA AND DATABASE SECURITY AND CONTROLS Ravi S. Sandhu and Sushil Jajodia Center for Secure Information Systems & Department of Information and Software Systems Engineering George Mason University, Fairfax, VA 22030-4444 Telephone: 703-993-1659 1 Intro duction This chapter discusses the topic of data security and controls, primarily in the context of Database Management Systems DBMSs. The emphasis is on basic principles and mechanisms, which have b een successfully used by practitioners in actual pro ducts and systems. Where appropriate, the limitations of these techniques are also noted. Our discussion fo cuses on principles and general concepts. It is therefore indep endent of any particular pro duct except for section 7 which discusses some pro ducts. In the more detailed considerations we limit ourselves sp eci cally to relational DBMSs. The reader is assumed to be familiar with rudimentary concepts of relational databases and SQL. A brief review of essential concepts is given in the app endix. The chapter b egins with a review of basic security concepts in section 2. This is followed, in section 3, by a discussion of access controls in the current generation of commercially available DBMSs. Section 4 intro duces the problem of multilevel security. It is shown that the techniques of section 3 are inadequate to solve this problem. Additional techniques develop ed for multilevel security are reviewed. Sec- tion 5, discusses the various kinds of inference threats that arise in a database system, and discusses metho ds that have b een develop ed for dealing with them.
  • Information Security Essentials Definition of Information Security

    Information Security Essentials Definition of Information Security

    Computing Services Information Security Office Information Security Essentials Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The three objectives of information security are: • Confidentiality • Integrity • Availability Confidentiality Confidentiality refers to the protection of information from unauthorized access or disclosure. Ensuring confidentiality is ensuring that those who are authorized to access information are able to do so and those who are not authorized are prevented from doing so. Integrity Integrity refers to the protection of information from unauthorized modification or destruction. Ensuring integrity is ensuring that information and information systems are accurate, complete and uncorrupted. Availability Availability refers to the protection of information and information systems from unauthorized disruption. Ensuring availability is ensuring timely and reliable access to and use of information and information systems. Information Security Policy Carnegie Mellon has adopted an Information Security Policy as a measure to protect the confidentiality, integrity and availability of institutional data as well as any information systems that store, process or transmit institutional data. Institutional data is defined as any data that is owned or licensed by the university. Information system is defined as any electronic system that stores, processes or transmits information. Policies • Throughout its lifecycle, all Institutional Data shall be protected in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University. • Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University.
  • Application of Bioinformatics Methods to Recognition of Network Threats

    Application of Bioinformatics Methods to Recognition of Network Threats

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE Paper Application of bioinformatics methods to recognition of network threats Adam Kozakiewicz, Anna Felkner, Piotr Kijewski, and Tomasz Jordan Kruk Abstract— Bioinformatics is a large group of methods used in of strings cacdbd and cawxb, character c is mismatched biology, mostly for analysis of gene sequences. The algorithms with w, both d’s and the x are opposite spaces, and all developed for this task have recently found a new application other characters are in matches. in network threat detection. This paper is an introduction to this area of research, presenting a survey of bioinformatics Definition 2 (from [2]) : A global multiple alignment of methods applied to this task, outlining the individual tasks k > 2 strings S = S1,S2,...,Sk is a natural generalization and methods used to solve them. It is argued that the early of alignment for two strings. Chosen spaces are inserted conclusion that such methods are ineffective against polymor- into (or at either end of) each of the k strings so that the re- phic attacks is in fact too pessimistic. sulting strings have the same length, defined to be l. Then Keywords— network threat analysis, sequence alignment, edit the strings are arrayed in k rows of l columns each, so distance, bioinformatics. that each character and space of each string is in a unique column. Alignment is necessary, since evolutionary processes intro- 1. Introduction duce mutations in the DNA and biologists do not know, whether nth symbol in one sequence indeed corresponds to When biologists discover a new gene, its function is not al- the nth symbol of the other sequence – a shift is probable.
  • New-Age Supercomputers: Hi-Speed Networks and Information Security

    New-Age Supercomputers: Hi-Speed Networks and Information Security

    Journal of Electrical and Electronic Engineering 2019; 7(3): 82-86 http://www.sciencepublishinggroup.com/j/jeee doi: 10.11648/j.jeee.20190703.12 ISSN: 2329-1613 (Print); ISSN: 2329-1605 (Online) New-age Supercomputers: Hi-Speed Networks and Information Security Andrey Molyakov Institute of Information Technologies and Cybersecurity, Russian State University for the Humanities, Moscow, Russia Email address: To cite this article: Andrey Molyakov. New-age Supercomputers: Hi-Speed Networks and Information Security. Journal of Electrical and Electronic Engineering. Special Issue: Science Innovation . Vol. 7, No. 3, 2019, pp. 82-86. doi: 10.11648/j.jeee.20190703.12 Received : August 18, 2019; Accepted : September 21, 2019; Published : October 9, 2019 Abstract: The author describes computing strategic tasks that are used for ensuring defense and national security, the most important scientific, technical, biomedical and sociology tasks. Most typically, these are capability-based tasks. Supercomputers for their solution are respectively called Technical Capability, i.e. machines of extreme technical capabilities. Machines of this segment are also called High End Computers (HEC), and in our terminology - strategic supercomputers (SCs). Moving to the engineering level, author says that for tasks with good spatio-temporal work with memory, cache memory and schemes for automatically pre-loading data into the cache memory can be effectively used. This can significantly reduce the average memory access time of several hundred processor cycles to fractions of a processor cycle. Such tasks are usually called computational or cache-friendly (cach-friendly) - CF tasks. On tasks with poor spatio-temporal work with memory, the cache memory is useless, so each memory access is hundreds of processor cycles, the processor is idle because of this, and therefore the real performance is in units or even a fraction of a percent of the peak.
  • Application of Bioinformatics Methods to Recognition of Network Threats

    Application of Bioinformatics Methods to Recognition of Network Threats

    Paper Application of bioinformatics methods to recognition of network threats Adam Kozakiewicz, Anna Felkner, Piotr Kijewski, and Tomasz Jordan Kruk Abstract— Bioinformatics is a large group of methods used in of strings cacdbd and cawxb, character c is mismatched biology, mostly for analysis of gene sequences. The algorithms with w, both d’s and the x are opposite spaces, and all developed for this task have recently found a new application other characters are in matches. in network threat detection. This paper is an introduction to this area of research, presenting a survey of bioinformatics Definition 2 (from [2]) : A global multiple alignment of methods applied to this task, outlining the individual tasks k > 2 strings S = S1,S2,...,Sk is a natural generalization and methods used to solve them. It is argued that the early of alignment for two strings. Chosen spaces are inserted conclusion that such methods are ineffective against polymor- into (or at either end of) each of the k strings so that the re- phic attacks is in fact too pessimistic. sulting strings have the same length, defined to be l. Then Keywords— network threat analysis, sequence alignment, edit the strings are arrayed in k rows of l columns each, so distance, bioinformatics. that each character and space of each string is in a unique column. Alignment is necessary, since evolutionary processes intro- 1. Introduction duce mutations in the DNA and biologists do not know, whether nth symbol in one sequence indeed corresponds to When biologists discover a new gene, its function is not al- the nth symbol of the other sequence – a shift is probable.
  • Small Business Information Security: the Fundamentals

    Small Business Information Security: the Fundamentals

    NISTIR 7621 Small Business Information Security: The Fundamentals Richard Kissel NISTIR 7621 Small Business Information Security: The Fundamentals Richard Kissel Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 October 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director Acknowledgements The author, Richard Kissel, wishes to thank his colleagues and reviewers who contributed greatly to the document’s development. Special thanks goes to Mark Wilson, Shirley Radack, and Carolyn Schmidt for their insightful comments and suggestions. Kudos to Kevin Stine for his awesome Word editing skills. Certain commercial entities, equipment, or materials may be identified in this document in order to describe and experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. i Table of Contents Overview...................................................................................................................................................... 1 1. Introduction.......................................................................................................................................... 1 2. The “absolutely necessary” actions that a small
  • Introduction to Database Security

    Introduction to Database Security

    © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Digital_Art/Shutterstock CHAPTER © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT IntroductionFOR SALE OR DISTRIBUTION toNOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE ORDatabase DISTRIBUTION SecurityNOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION TABLE OF CONTENTS CHAPTER OBJECTIVES © Jones8.1 & IssuesBartlett in Database Learning, Security LLC © Jones In & this Bartlett chapter you Learning, will learn the LLC NOT 8.2FOR SALE Fundamentals OR DISTRIBUTION of Access Control NOT FORfollowing: SALE OR DISTRIBUTION U 8.3 Database Access Control The meaning of database 8.4 Using Views for Access Control security U 8.5 Security Logs and Audit Trails How security protects privacy and confidentiality © Jones & Bartlett8.6 Learning, Encryption LLC © Jones & Bartlett Learning, LLC U Examples of accidental or NOT FOR SALE OR8.7 DISTRIBUTION SQL Data Control Language NOT FOR SALE OR DISTRIBUTION deliberate threats to security 8.8 Security in Oracle U Some database security 8.9 Statistical Database Security measures 8.10 SQL Injection U The meaning of user 8.11 Database© Jones Security & and Bartlett the Internet Learning, LLC © Jones & Bartlett Learning, LLC authentication 8.12 ChapterNOT Summary FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U The meaning of authorization Exercises U How access control can be represented © Jones & Bartlett Learning, LLC © JonesU & How Bartlett the view Learning, functions as a LLC NOT FOR SALE OR DISTRIBUTION NOT FOR securitySALE device OR DISTRIBUTION © Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION.
  • Analysis of Computer Network Information Security and Protection Strategy

    Analysis of Computer Network Information Security and Protection Strategy

    MATEC Web of Conferences 267, 02013 (2019) https://doi.org/10.1051/matecconf/201926702013 ISC 2018 Analysis of Computer Network Information Security and Protection Strategy Xiaobo Minga, Ying Chen, Jinhua Guo Shangrao Vocational and Technical College, Jiangxi, Shangrao, 334001 Abstract. Computers are closely related to our life and work. We have entered an era in which computers are not available in all walks of life. Among them, many important documents and materials will be stored in the form of electronic files in the computer. However, computers are not absolutely safe, and cases of information theft occur from time to time. Most people usually keep information confidential in the form of encryption. How to avoid the problem of computer information security. Computer network security involves all aspects. To solve these problems, there are many levels of technology, such as cryptography technology, network security technology and so on. Our country has also done a lot of research on the security protection of computer network technology, and these research results have also achieved certain results in the actual construction of computer network. In order to ensure the normal operation of computer networks, ensure information security and prevent information leakage and theft, a special protection system has been established to ensure the security of computer network information by setting up computer detection, security assessment and other links. However, with the rapid development of science and technology, the updating of electronic products is faster and faster, and the challenge of Wechat for network security information is more severe. How to protect computer network information security needs to be solved urgently, this paper discusses this.
  • Cybersec and Human Performance in Degraded Modes

    Cybersec and Human Performance in Degraded Modes

    Violations and Human Performance in Cybersecurity Prof. Chris Johnson, School of Computing Science, University of Glasgow, Scotland. http://www.dcs.gla.ac.uk/~johnson Aim is to Provoke Discussion... • Common software components into ATM: – networks, Linux, VOIP, SBAS... • Human performance concerns everywhere: – Huge problems of competence – incl regulators; – Many conflicts between safety and security; – Inconsistent, inapplicable rules (lack of HF input); – Consistent, known violation of policies. • Recommendations: – Act now these are violations NOT errors. Copyright C.W. Johnson, 2012 Aim is to Provoke Discussion... •Recommendations: – Act now these are violations NOT errors. •From a human factors perspective… •Why are ANSPs waiting for the attack? Copyright C.W. Johnson, 2012 Paranoia? • Many policies only exist on paper. • Huge problem with complacency. • “FAA ineffective in all critical areas including operational systems information security, future systems modernization security, management structure, policy implementation”. • US Government Auditors Office Copyright C.W. Johnson, 2012 DoT Review of FAA CyberSecurity DoT "unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations." “Attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation- state-sponsored cyber attacks" Copyright C.W. Johnson, 2012 Conflict Between Security and Safety • Existing safety standards eg ED153 – Focus on verification and validation; – In proportion to SWAL/criticality. • Anti-viral systems violate ED-153: – Updated every 24-48 hours; – could themselves bring down ACC; – Cannot test anti-virus definiitons; – Without increasing security exposure.
  • Improving the Cyber Security of Consumer Internet of Things Report

    Improving the Cyber Security of Consumer Internet of Things Report

    Secure by Design Report Secure by Design: Improving the cyber security of consumer Internet of Things Report Secure by Design Report Contents Foreword by the Minister for Digital and Creative Industries Executive Summary 1. The Internet of Things (IoT) - new opportunities and risks for consumers 2. Context of the Review 3. Promoting a Secure by Design Approach to Consumer IoT Security 4. Code of Practice for Industry on Consumer IoT 5. Supporting Actions by the Government and Industry 6. Building an International Consensus 7. Conclusion 8. Annex A: Glossary of Terms 9. Annex B: Options Analysis Summary 1 Secure by Design Report Foreword As we deliver our vision for the UK to be the safest place to live and do business online, it is critical that we make sure the internet works for everyone. That means, as Government and industry work together to ensure we protect the UK from cyber attacks, we must also reduce the burden on end users by embedding effective cyber security Margot James practices at every stage of a Minister for Digital and Creative Industries connected product’s life cycle. Increased connectivity via the internet of things (“IoT”) provides fantastic opportunities for the UK. A key part of this Government’s ambition is to expand on the aspirations set out in our Digital Strategy through enhancing our status as an international leader in the development and uptake of IoT. However, we must ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity.
  • The Basic Components of an Information Security Program MBA Residential Technology Forum (RESTECH) Information Security Workgroup

    The Basic Components of an Information Security Program MBA Residential Technology Forum (RESTECH) Information Security Workgroup

    ONE VOICE. ONE VISION. ONE RESOURCE. The Basic Components of an Information Security Program MBA Residential Technology Forum (RESTECH) Information Security Workgroup 20944 MBA.ORG Copyright © October 2019 by Mortgage Bankers Association. All Rights Reserved. Copying, selling or otherwise distributing copies and / or creating derivative works for commercial purposes is strictly prohibited. Although significant efforts have been used in preparing this guide, MBA makes no representations or warranties with respect to the accuracy and completeness of the contents. If legal advice or other expert assistance is needed, competent professionals should be consulted. Copying in whole or in part for internal business purposes and other non-commercial uses is permissible provided attribution to Mortgage Bankers Association is included, either through use of the previous paragraph (when copying / distributing the white paper in full) or the following (when distributing or including portions in a derivative work): “Source: Mortgage Bankers Association, The Basic Components of an Informa- tion Security Program, by the Information Security Work Group of the MBA Residential Technology Forum (RESTECH), 2019, [page(s)].” Table of Contents Preface . 1 1. Introduction . 2 2. Laws and Regulations for .Information . Security. 5 3. First Priority Cybersecurity Practices . .6 . 3.1 Manage Risk. .6 3.2 Protect your Endpoints . 6 3.3 Protect Your Internet . Connection. .7 3.4 Patch Your Operating Systems and Applications . 8 . 3.5 Make Backup Copies of Important Business. Data / Information. .8 3.6 Control Physical Access to Your Computers and Network Components . 9 . 3.7 Secure Your Wireless Access Points. .and . Networks. 10 3.8 Train Your Employees in Basic .
  • Security-By-Design Framework

    Security-By-Design Framework

    Security-by-Design Framework Version: 1.0 Document History Version Date Author Changes No. 1.0 09 November 2017 Cyber Security Agency of Singapore Release Security by Design Framework | Page 2 Contents 1. Introduction .................................................................................................................................... 4 2. Purpose ........................................................................................................................................... 5 3. Scope and Applicability ................................................................................................................... 5 4. Audience ......................................................................................................................................... 5 5. Framework Overview ...................................................................................................................... 6 5.1 Systems Development Lifecycle (SDLC) ................................................................................... 6 5.2 Notes on Agile Development Lifecycle .................................................................................... 7 5.3 Security-by-Design Lifecycle .................................................................................................... 9 5.4 Security-by-Design Approach ................................................................................................ 11 5.5 Security-by-Design Framework ............................................................................................